Analysis
-
max time kernel
12s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-08-2021 03:32
Static task
static1
Behavioral task
behavioral1
Sample
86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe
-
Size
461KB
-
MD5
f0fc2455a7cdd023373fd6bef8b066b1
-
SHA1
9e2a0536d71a558a1b3a0fd76bcb9f79670fdb16
-
SHA256
86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134bcec227df7ae8cc2b0d
-
SHA512
c04638b18de0067dacbcf8a0c6547d3cec0bc0e6af8062ba3a26e10c1a888e05658669b5e4530a75d2ef646a7fa64e60a433b54b7d409648ea44eee5011f6ee6
Malware Config
Extracted
Family
raccoon
Botnet
cd8dc1031358b1aec55cc6bc447df1018b068607
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Signatures
-
Raccoon Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-115-0x0000000000400000-0x0000000002CA9000-memory.dmp family_raccoon -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1972 created 2016 1972 WerFault.exe 86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3724 2016 WerFault.exe 86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe 4052 2016 WerFault.exe 86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe 196 2016 WerFault.exe 86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe 3056 2016 WerFault.exe 86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe 1972 2016 WerFault.exe 86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 3724 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3724 WerFault.exe Token: SeBackupPrivilege 3724 WerFault.exe Token: SeDebugPrivilege 3724 WerFault.exe Token: SeDebugPrivilege 4052 WerFault.exe Token: SeDebugPrivilege 196 WerFault.exe Token: SeDebugPrivilege 3056 WerFault.exe Token: SeDebugPrivilege 1972 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe"C:\Users\Admin\AppData\Local\Temp\86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134.exe"1⤵PID:2016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 7362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 7482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 7122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 8842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 5522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972